Announcement
Collapse
No announcement yet.
Mozilla Start Drafting Plans To Deprecate Insecure HTTP
Collapse
X
-
Yea, certificates are a pain. I have my own website and would love to use HTTPS, but getting a certificate that browsers acknowledge is hard; and it is serving static content only, aside from the control panel itself, so it's not worth the bother. Let's Encrypt does sound pretty good, but then I'd imagine Mozilla should start thinking about whether to try and deprecate http only after it's launched.
-
ISP's must NEVER have keys
Originally posted by carewolf View PostThat is exactly what he is talking about. That media content is often cached on ISP level.
Right now we have Verizon's tracking headers (at least we stopped Turn), against which HTTPS works and Torbrowser offers 100% protection, T-Mobiles "web guard" proxy, and the known fact that most ISP's keep and presumably sell detailed lists of sites visited. We are rapidly approaching a future where everyone will have to use Tor for all online activity, and in order to handle the bandwidth Tor will have to require every connection to serve as an exit node. This will slow down the Internet as whole by a factor of three but may by the only defense against carriers who are so deeply malicious they make the NSA look like a joke.
Leave a comment:
-
There are 2 different security issues that HTTPS addresses.
1. Authentication. You received what the website actually sent.
2. Privacy. Only you know what the website sent.
For many websites all that is needed/wanted is authentication. By switching to full blown HTTPS, you get both security features, but for somethings (static images), all you really want is authentication. For this type of content, HTTPS providing privacy is actually bad because breaks things like transparent proxies.
In the end, I would rather see everything delivered via HTTPS, but I think the best solution would be to have everything to default to fully secure and have the website selectively mark content as authentication only.
Leave a comment:
-
Originally posted by vadix View PostMaybe I just don't have a sense of humor, but I am fairly certain that the majority of web traffic comes from media content anyways, so I don't think that is a reasonable conclusion.
Leave a comment:
-
letsencrypt
When letsencrypt is functional, https should become pretty convenient.
The Let's Encrypt ACME Directory URL is: https://acme-v02.api.letsencrypt.org/directory To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol which typically runs on your web host.
Leave a comment:
-
Originally posted by uid313 View PostYeah, and deprecate anonymity too.
In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
If you have an opinion, we want to know who you are and where you live!
If it is something like wordpress or blogger, some platform, its hoster will get a wildcard cert for all subdomains and you can still register with a trash-mail like right now.
Certificates can also be domainvalidated so all that is checked is if you can receive mail for that domain.
Not much difference to what we have right now.
Leave a comment:
-
Originally posted by uid313 View PostYeah, and deprecate anonymity too.
In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
If you have an opinion, we want to know who you are and where you live!
Leave a comment:
-
Originally posted by uid313 View PostYeah, and deprecate anonymity too.
In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
If you have an opinion, we want to know who you are and where you live!
There are CAs that check only if you are able to receive mails for that domain you want a certificate for and if you purchase webspace your name and adress are usually already known to the hoster.
If it is a blogging platform, the blog hoster will get the cert for the domain and you still only register with an anonymous mailadress.
Don't see your problem.
Leave a comment:
-
Originally posted by nanonyme View PostNext step: People notice it was stupid to remove HTTP because transparent caching proxies no longer work so everyone run out of capacity. As a result keys are given to ISP's so they can terminate SSL, cache, and send connection forward as SSL
I ran transparent caching for years and when it came down under 12% hit rate (*NOT* including video), I just gave up.
Leave a comment:
-
Originally posted by uid313 View PostYeah, and deprecate anonymity too.
In the future everyone who published any content on the web must use HTTPS and provide their data to government. No anonymous blogging for you!
If you have an opinion, we want to know who you are and where you live!
Leave a comment:
Leave a comment: